Was This the Phishing E-mail That Took Down RSA?

← Back to Stories (view on slashdot.org)

Was This the Phishing E-mail That Took Down RSA?

Posted by Soulskill on Friday August 26, 2011 @01:35AM from the hello-sir-madam dept.

alphadogg tips this IDG News report: "'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."

165 comments

Min score:

Reason:

Sort:

Testing by Anonymous Coward · 2011-08-26 01:40 · Score: -1

Yes
All it takes by Anonymous Coward · 2011-08-26 01:41 · Score: 1

is one careless user. How many secretaries, finance weenies, inside sales or middle managers at RSA actually are part of that "most respected computer security" knowledge at the company? I'm guess they have a lot of people who know nothing about security, much like every other company.
1. Re:All it takes by jhoegl · 2011-08-26 01:47 · Score: 2
  
  Actually, if you have proper network, server, and file access constraints, you can limit exposure depending on the person that gets phished.
  
  That said, most companies think convenience > security.
2. Re:All it takes by Hatta · 2011-08-26 01:53 · Score: 5, Insightful
  
  So why did the non-security support staff have access to the same network the private keys were on? It doesn't just take one careless user, RSA should know about defense in depth.
  
  --
  Give me Classic Slashdot or give me death!
3. Re:All it takes by Hijacked+Public · 2011-08-26 01:54 · Score: 1
  
  You are paraphrasing the last line of the article. And it isn't like everyone working on computer security isn't well aware, especially a company that sells a product designed to mitigate user silliness like lousy password.
  What is more striking to me is that a bug in some minor piece of convenience software is enough, despite efforts at sandboxing and UAC type prompts and ACLs and firewalls and sniffing and all that, to eventually compromise the most important asset a RSA had.
  
  --
  "Sacrifice for the good of The State" - The State
4. Re:All it takes by Skarecrow77 · 2011-08-26 01:59 · Score: 4, Insightful
  
  Being the most secure company on earth is awesome until you go out of business because nobody could get any work done and make the company any money.
  There is a balance between convenience and security.
5. Re:All it takes by arth1 · 2011-08-26 02:01 · Score: 1
  
  In theory. In practice, when the boss tells you to remove a hurdle by giving untrustworthy resources access to a trusted resource, it's bad for job security to say "no because it's bad for corporate security".
6. Re:All it takes by Pope · 2011-08-26 02:06 · Score: 1
  
  Bullshit. You escalate to *his* boss and explain why you won't violate company security policies.
  
  --
  It doesn't mean much now, it's built for the future.
7. Re:All it takes by AngryDeuce · 2011-08-26 02:08 · Score: 4, Insightful
  
  There is a balance between convenience and security.
  Of course there is, but given how often these problems are happening as of late, it seems clear that very few of these companies are finding that balance. One would think the inconvenience of higher security would pale in comparison to the inconvenience of rebuilding your reputation after the entire world watches your organization get brought to it's knees, or lose copious amounts of proprietary data, due to ridiculous things like phishing expeditions.
8. Re:All it takes by MichaelKristopeit423 · 2011-08-26 02:10 · Score: -1
  
  then your boss' boss will know that your boss is unable to manage their team effectively and fire your entire team.
  you're an idiot.
9. Re:All it takes by datapharmer · 2011-08-26 02:10 · Score: 0
  
  Yes. the balance is security >= convenience. If your security fails and you embarrass/endanger your customers or expose your secrets to your competition you go out of business, so the convenience has no intrinsic value. Being inconvenienced is different than not being able to get things done, and good security is rarely much of an inconvenience, because overly complex systems tend to have flaws that are missed due to their complexity. In many cases simple=best.
  
  --
  Get a web developer
10. Re:All it takes by fuzzyfuzzyfungus · 2011-08-26 02:12 · Score: 5, Insightful
  
  My understanding is that the attack proceeded in multiple steps and that knocking over a soft target was just a convenient opening move. Anybody who can be cracked just by duping some support person is Doing It Wrong; but it is hard to imagine a structure where having access to one or more low privilege accounts wouldn't make an attacker's life somewhat easier.
  
  Now, as for the broader question of why RSA retained the seed keys for a nontrivial slice of the US's more security-touchy corporations in any remotely online-accessible form, or why those customers accepted that arrangement... There are not words enough to condemn that level of folly.
11. Re:All it takes by pyrosine · 2011-08-26 02:14 · Score: 1
  
  This isnt necessarily true - unless you have entirely separate networks for departments that dont need access to another department's resources, there will still be access elevation bugs that can be exploited. Phishing the login of someone as basic as the cleaner (dont ask me why they would have computer access) could quickly elevate to root access - opening up other computers on the network to attack
12. Re:All it takes by datapharmer · 2011-08-26 02:15 · Score: 3, Interesting
  
  I've found you don't want to work for companies that don't listen to their IT departments as that is bad for job security. A smart boss will listen to a reasoned explanation as to why something is a bad idea. If they don't you should work for them as a consultant and not as an employee - companies with bad IT policies make great clients for consultants, because they spend far more on IT than companies that listen to their IT staff.
  
  --
  Get a web developer
13. Re:All it takes by delinear · 2011-08-26 02:23 · Score: 1
  
  But for a firm whose bottom line is securing your access, the balance should be heavily tipped in favour of security. We know security is inconvenient, that's why we pay a firm to handle it. We don't want said firm to just do what's convenient, or we'd just do it ourselves, much cheaper.
14. Re:All it takes by somersault · 2011-08-26 02:25 · Score: 1
  
  If your security fails and you embarrass/endanger your customers or expose your secrets to your competition you go out of business
  You didn't really pay attention after all the Sony hacks etc this year, did you?
  
  --
  which is totally what she said
15. Re:All it takes by Anonymous Coward · 2011-08-26 02:27 · Score: 0
  
  So why did the non-security support staff have access to the same network the private keys were on? It doesn't just take one careless user, RSA should know about defense in depth.
  Pawn, to rook, to bishop, to queen, to king.
16. Re:All it takes by ObsessiveMathsFreak · 2011-08-26 02:32 · Score: 1
  
  one careless user.
  Nonsense. It takes institution wide use of an operating system with systemic security issues. It take a network where a secretaries computer effectively has access to files relating to defence contractors. It takes a tinderbox network, pre-doused in gasoline in order for one tiny spark to ignite such an inferno.
  An international military security verifcation network, compromised by a single flash file in an Excel sheet, opened on a secretaries computer; And it's the secretaries fault? Give me a break.
  
  --
  May the Maths Be with you!
17. Re:All it takes by fuzzyfuzzyfungus · 2011-08-26 02:37 · Score: 1
  
  You appear dangerously close to suggesting that something this embarrassing might be the fault of somebody who matters, rather than a cog who should have known better and is 'no longer working for the company', as they say... I'm not sure we can have such talk about our betters here...
18. Re:All it takes by AngryDeuce · 2011-08-26 02:38 · Score: 1
  
  But Sony's reputation is pretty damaged right now. They've already lost hundreds of millions of dollars in the costs to clean up the mess and had to slash prices of their hardware to spur sales. The timeline on this is going to be years long, not months.
19. Re:All it takes by E+IS+mC(Square) · 2011-08-26 02:39 · Score: 3, Interesting
  
  You would love to read "The Cuckoo's Egg" by Cliff Stoll. A lengthy but very interesting read.
  http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)
20. Re:All it takes by garyebickford · 2011-08-26 02:44 · Score: 3, Insightful
  
  By analogy, this is part of the reason why high security buildings around Washington DC have no windows. Too easy to 'peek' through (using some arbitrary 'peaking' technology), or break in through.
  Most normal buildings are only *apparently* secure, since a simple lock pick or broken window gets you in. I think this phishing attack is analogous to the classic Hollywood entry using a glass cutter and shorting across the alarm wiring. This gets you in the building so you can do your dirty work.
  Those high security buildings also sometimes have Faraday cages and other systems built into the structure, but that's another story.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
21. Re:All it takes by X0563511 · 2011-08-26 02:46 · Score: 1
  
  You seem to forget the part where this was only the initial attack vector. That's how they got in the front door. It doesn't say how they got into the basement.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
22. Re:All it takes by Runaway1956 · 2011-08-26 02:50 · Score: 1
  
  Most assuredly, there is a balance. It's been said many times, that if you're really concerned about security, you won't ever connect your machine to the internet.
  But, when people are connected, they should be AWARE that they are in an insecure environment. Sounds like these security contractors failed to educate their employees, not to mention that they failed to properly secure their networks. Reading an email from Joe Random Stranger is certainly not in any security protocols that I have ever heard of! Opening an attachment in that email? DUHHH!
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
23. Re:All it takes by gclef · 2011-08-26 02:56 · Score: 4, Insightful
  
  Well, that's an interesting question: how much business *does* a company actually lose by being embarrassed in an event like this? Companies keep getting hacked (Citigroup, Sony, TJmaxx, RSA), but they don't seem to be going out of business because of it, or even taking that much of a financial hit...so I'm beginning to suspect that there isn't that much impact after all.
  So, if there's no real financial impact aside from PR and cleanup, why should they bother being secure?
24. Re:All it takes by Zilog · 2011-08-26 02:56 · Score: 1
  
  If cost of security > business value then out of business. Convenience is an empiric way to estimate effective cost of security.
25. Re:All it takes by somersault · 2011-08-26 02:57 · Score: 1
  
  Damaged in who's eyes? Slashdot's? There have been seemingly hundreds of data breaches in the news this year, and while the Sony one is the biggest, I don't think most people have been that bothered. I was a little appalled, but the only thing I had to do was phone my bank and ask for a new credit card, which took 60 seconds.
  
  --
  which is totally what she said
26. Re:All it takes by WreckDiver · 2011-08-26 03:04 · Score: 5, Interesting
  
  I worked for RSA for 4 years, both before and after EMC acquired them (I was not working there when the break-in occurred). The security experts at RSA are not the people that are running EMC corporate IT. When the acquisition occurred, RSA IT was one of the first groups to be let go. EMC IT policy seemed to be more worried about meeting regulations for compliance than for implementing security policies that actually made sense.
27. Re:All it takes by Kell+Bengal · 2011-08-26 03:08 · Score: 1
  
  Except it didn't appear to be from J. R. Stranger; it was spoofed to appear to come from a recruitment website that they had used with before. The attachment was a .XLS named "recruitment strategy 2011" or somesuch, which is a perfectly plausible thing to get from a recruiter you've worked with in the past. This was a targeted attack, not just malware spam.
  
  --
  Scientists point out problems, engineers fix them
  altslashdot.org: The future of slashdot.
28. Re:All it takes by Bert64 · 2011-08-26 03:09 · Score: 1
  
  Security is a cost, both in terms of convenience as well as financial...
  However the paybacks from security are not obvious, you could make no effort on security whatsoever and still get lucky, or you could make a significant effort and still get hit by sufficiently skilled/determined (or lucky) hackers.
  You are right about complexity tho, the more complex you make a system the greater the chance of overlooking something.
  Unfortunately, the industry is dominated by large companies that have products to sell, products are generally bought by non technical managers and simplicity is a very hard sell to someone who doesn't understand, so you have lots of vendors selling ever increasing complexity.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
29. Re:All it takes by Bert64 · 2011-08-26 03:23 · Score: 1
  
  It's unlikely that they were supposed to have access, but never believe what software vendors tell you about access control...
  Most networks are entirely dependent on perimeter security, and are wide open inside... I'm talking unpatched boxes, weak/blank passwords, poor permissions, common or shared passwords and a multitude of other problems.
  Once you have access behind the firewall, even comparatively minimal access, its extremely easy to gain access to other devices.
  Speaking from experience, having conducted hundreds of penetration tests against corporate networks, consider the following:
  You get unprivileged access to a single workstation, you don't have admin access but you can execute programs and open network sockets...
  Perhaps you can escalate to admin privileges on the local workstation via an unpatched vuln?
  Chances are your unprivileged access is on an active directory domain, so you can leverage the single sign on features to access other machines, perhaps you can escalate to admin privileges on one of those?
  Chances are on a network of any size there will be at least one unpatched vuln you could exploit...
  Once you have SYSTEM privileges on a windows box you can dump the password hashes, including those of any logged in domain users... You might get lucky and a domain admin is logged in, and you can steal his password hash. If not, chances are all the machines were built from a single image so the local admin hash will work on more than just one system.
  Once you have a hash, you can use it right away, no need to crack it..
  Very quickly you have admin on the domain, and if there are other trusted domains it won't take you long to get into those too...
  Can't speak for rsa, but most companies i've seen have a single domain and rely on windows access control to deny employees access to stuff they shouldn't see... that doesn't work when you can totally subvert the system.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
30. Re:All it takes by Bert64 · 2011-08-26 03:28 · Score: 1
  
  The most important question is the bit about "why those customers accepted that arrangement"... And the problem is that quite often, people who understand the technology have no say in the procurement decisions.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
31. Re:All it takes by AngryDeuce · 2011-08-26 03:43 · Score: 1
  
  Oh, I don't know about that. I've certainly seen the phrase "I'll never buy a Sony product again!" often enough on comment threads and web sites other than Slashdot, but we'll just have to wait and see. The point is, expecting a company like Sony to fold with the same speed a Mom and Pop restaurant does after they infect a bunch of their patrons with Salmonella is silly. 99% of the time it doesn't happen like that, and when it does, that's why it's front page news everywhere.
  Even if only a quarter of the people act on those sentiments and actually boycott Sony, that's a lot of potential profits flushed down the drain, and Sony wasn't exactly driving the market before. Their stock is down 42% what it was a year ago, which has to hurt pretty damn bad.
32. Re:All it takes by AJH16 · 2011-08-26 04:05 · Score: 1
  
  Yeah, so you take over jane in Customer Service who then sends an infected e-mail to Bill in the testing unit about a problem with a product once you have the outer network access to elevate to the inside.
  
  --
  AJ Henderson
33. Re:All it takes by mr_lizard13 · 2011-08-26 04:12 · Score: 1
  
  You make a very good point. The companies hacked of late have done a very good job of painting themselves as a defenceless victim. The press even seems to be somewhat sympathetic toward them.
  
  Sony perhaps got a rougher ride than most, and quite possibly did lose a fair chunk of change, but they're still in business, along with Citi, TJ Maxx etc.
  
  --
  "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
34. Re:All it takes by UnknownSoldier · 2011-08-26 04:24 · Score: 1
  
  > Security is a cost, both in terms of convenience as well as financial...
  > However the paybacks from security are not obvious,
  Agreed. That's because security prevents _future_ expenses. i.e. Without security you WILL pay for the consequences down the road. With some security you are just delaying the inevitable which may be "good enough."
  Interesting to note that both long-term and short term apply: Benefits, Expenses, Convenience, and Costs. Balancing all 4 is not easy.
35. Re:All it takes by MrAngryForNoReason · 2011-08-26 04:32 · Score: 1
  
  Even if only a quarter of the people act on those sentiments and actually boycott Sony, that's a lot of potential profits flushed down the drain
  I'd be very surprised if anywhere near a quarter actually change their buying habits. Also the key word is potential profits, most people who rant on about boycotting companies either don't follow through, or would never have bought from them anyway.
  I am sure that even if the entire readership of Slashdot never gave Sony another pound it still wouldn't make a noticable difference to their bottom line.
  The general publics reaction to the Sony hack was, "oh, that sounds bad, I'm sure it won't affect me". The only real backlash was from PSN users who couldn't play online, but that soon evaporated once PSN went back up and they got their free stuff. They sure as hell aren't throwing their PS3s away and stopping buying games for them.
36. Re:All it takes by jc42 · 2011-08-26 04:40 · Score: 1
  
  The point is, expecting a company like Sony to fold with the same speed a Mom and Pop restaurant does after they infect a bunch of their patrons with Salmonella is silly. 99% of the time it doesn't happen like that, and when it does, that's why it's front page news everywhere.
  Actually, it's not silly at all. I remember back in the 1990s reading a report by an economics statistician (whose name I've forgotten, of course) who claimed that for the companies for which we have historical records, lifetime and company size have a zero correlation. He used the prototypical "mom-and-pop" corner store as an example, saying that big corporations like General Motors, Pan American World Airways, IBM or Digital are as likely to be gone in N years as that little mom-and-pop that you're thinking of.
  Of course, when corporations disappear, it is only occasionally due to bankruptcy, and more often from a merger. But then, when you and I die, it's not always due to internal collapse (heart attack, cancer, etc), but may also be due to being "eaten" by another species (mostly micro-organisms these days). Or killed by one of those large metal-and-plastic predators that inhabit our road/street system. ;-)
  I wonder if anyone has done another study of business survival lately. There's a lot of mythology about this, and little significant data. Everyone has their favorite theories explaining who some companies succeed and others fail, but rarely do people actually try to test their favorite theories. I know I don't have access to good data on the topic, and dying businesses have good motives to hide their internal states from prying outsiders.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
37. Re:All it takes by SecurityTheatre · 2011-08-26 04:47 · Score: 1
  
  This is correct. It is the end-users that lose out.
  Since the USA has very limited regulatory requirements regarding privacy of user information and there are no reliable means of wronged consumers seeking damages for negligent security practices, it ACTUALLY is cheaper for a company to ignore security and let their customers take the damage, assuming that they aren't going to take too much damage to their business.
  The balance decision has little to do with security, but with skirting responsibility. This is another reason why (in my experience), breaches do not result in disclosure most of the time, they are just covered up and hushed. Yes, I've seen this as a consultant, no, it's not worth losing my job being a whistle blower.
38. Re:All it takes by SecurityTheatre · 2011-08-26 04:52 · Score: 1
  
  Good attacks will spoof external third parties who are recognized. Email is designed in a way this is possible and not practical to prevent.
  That is the nature of email, most people don't realize exactly how arbitrary email security is.
39. Re:All it takes by TheNarrator · 2011-08-26 05:32 · Score: 1
  
  There is a a very subtle but important difference between security and compliance.
40. Re:All it takes by TheNarrator · 2011-08-26 05:37 · Score: 1
  
  The key here is to firewall off different parts of the organization from other parts. The HR department does not need access to the development network, etc. They should be on different domain controllers with different domain admins entirely. Attempts to probe the network from the inside should be monitored and investigated by IT. This is very difficult on a publicly accessible internet server as there are 10s of thousands of bot attacks in a day, but should be doable inside the network. This takes a lot of IT time and is often viewed as frustrating and completely unnecessary if the organization's executives don't understand the importance of protecting against internal threats.
41. Re:All it takes by Anonymous Coward · 2011-08-26 06:33 · Score: 0
  
  Companies keep getting hacked (Citigroup, Sony, TJmaxx, RSA), but they don't seem to be going out of business because of it, or even taking that much of a financial hit...so I'm beginning to suspect that there isn't that much impact after all.
  Meanwhile, they keep wondering how the Chinese are able to produce so cheap knock-offs of practically every product they create.
42. Re:All it takes by idontgno · 2011-08-26 07:47 · Score: 1
  
  I'm curious what you propose to do when that doesn't work. Because it won't, unless you've systematically cronied up with the bosses' boss more than the boss has. And I don't see how you could have gotten away with that; a boss won't tolerate that kind of threat to their own authority and autonomy.
  The only thing a PHB fears is a subordinate with an effective means to go over his head. And he will do anything necessary to prevent that from happening.
  So, going over the boss' head fails. What now?
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
43. Re:All it takes by St.Creed · 2011-08-26 08:01 · Score: 1
  
  Subtle? Compliance is about doing things by the book, Security is about picking what book to read. They're completely different things. But you're right that the confusion between them is the root cause for many accidents.
  Fun example: I always have to laugh when my compliant screensaver tells me inane things like "never open emails from people you don't know". I wonder how HR will recruit people when they aren't allowed to open the mails from potential candidates :) (hmmm or is this the reason so few people get their mails answered by HR departments? #wondering)
  
  --
  Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
44. Re:All it takes by u38cg · 2011-08-26 08:27 · Score: 1
  
  it is hard to imagine a structure where having access to one or more low privilege accounts wouldn't make an attacker's life somewhat easier.
  
  The rule is pretty simple: any attack that can be done by an outsider, can be done by an insider. If they had had defences against a bent user of that account, this would probably not have happened.
  
  --
  [FUCK BETA]
45. Re:All it takes by maxume · 2011-08-26 09:31 · Score: 1
  
  In the context of this story, it is basically hilarious that Excel was configured to execute the flash object.
  
  --
  Nerd rage is the funniest rage.
46. Re:All it takes by Xacid · 2011-08-26 10:34 · Score: 1
  
  I've found they're usually entirely different.
47. Re:All it takes by dbIII · 2011-08-26 11:54 · Score: 1
  
  The cleaner has physical access to probably everywhere except the server room so can get a login onto anything they like :)
computers are now part of modern society by Anonymous Coward · 2011-08-26 01:46 · Score: 0

And as such, we need to start expecting people to have basic computer literacy skills so they do not fall prey to such schemes. How many thousands upon thousands of times does it have to happen before people learn?
1. Re:computers are now part of modern society by jhoegl · 2011-08-26 01:53 · Score: 2
  
  I dunno. How many people still leave their doors unlocked, drive home drunk, text and drive, say something stupid to the wrong person, vote for Republicans (haha, yeah I said it, deal with it), and etc etc.
  
  Shit is not going to stop, so all we can do is react and repair. However, when someone has a specific amount of access, perhaps a security policy and/or security training/certificate are required which would include legal or financial punishment to their lax attention.
2. Re:computers are now part of modern society by Yvan256 · 2011-08-26 01:53 · Score: 1
  
  Well, some people need to be burned a few times before learning. And there's new schemes every day. Multiplied by the planet's population.
  A couple centillion times should do it.
3. Re:computers are now part of modern society by Hijacked+Public · 2011-08-26 01:58 · Score: 1
  
  Or we can start expecting the people who have chosen to specialize their careers in preventing this type of thing, to ensure that a spreadsheet cannot exploit a bug in animation software to gain root access to the entire network.
  Cost accounting may prevent either solution from being possible, who knows.
  
  --
  "Sacrifice for the good of The State" - The State
4. Re:computers are now part of modern society by fuzzyfuzzyfungus · 2011-08-26 02:44 · Score: 1
  
  And as such, we need to start expecting people to have basic computer literacy skills so they do not fall prey to such schemes. How many thousands upon thousands of times does it have to happen before people learn?
  Hear, Hear! I can't tell you how many secretaries and mailroom minions I've had to fire because they couldn't detect zero-day vulnerability exploits!
5. Re:computers are now part of modern society by Bert64 · 2011-08-26 03:30 · Score: 1
  
  Or companies need to start implementing defence in depth strategies, rather than concentrating purely on border security.
  Virtually every network i've seen has been based around the idea of a firewall separating it from the outside and virtually no security inside the network, or relying entirely on something like active directory access controls and not for a second considering how easy it is to subvert the whole thing.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
More... by Anonymous Coward · 2011-08-26 01:46 · Score: -1

The first time the niggar approached me.
I rebuked him, much as my Father did before me.
The second time the niggar approached me.
I gave him money, to hasten his departure.
The third time the niggar approached me.
I gave him food, to teach the kids active compassion.
The fourth time the niggar approached me.
I gave him my beer, as that's what he wanted.
The last time the niggar approached me.
I sat down and listened.
Lessons are all standard by JoshuaZ · 2011-08-26 01:47 · Score: 1

Keep your systems separate. If you have important keys and they don't need to be on a network when they aren't in use, don't put them on a network. Don't give people more privileges than they need to do their jobs. That does have the secondary issue that if you go too far in that direction then people will try to get around your security measures and might open up holes in the process, and they won't take security as seriously. So you need to balance that. Also, never open up attachments that you don't know who they are from. This is a really basic point that should be driven into people. And look at the extension of the file, if it looks suspicious don't open it. These are basic points. It is embarrassing that RSA of all companies would apparently have such basic security problems. But it does help drive home a point: if they can be vulnerable to simple phishing and bad attachments so can everyone.
1. Re:Lessons are all standard by tburke261 · 2011-08-26 01:49 · Score: 1
  
  Anyone who takes security very, very seriously because they have to will talk to you about the Air-Gap. It's a beautiful thing.
2. Re:Lessons are all standard by Registered+Coward+v2 · 2011-08-26 01:55 · Score: 1
  
  Anyone who takes security very, very seriously because they have to will talk to you about the Air-Gap. It's a beautiful thing.
  Unfortunately, the Sneaker Net can easily defeat the air gap. Of course, the Epoxy Filler Plug defeats Sneaker Net.
  So now we have the security geek version of Rock Paper Scissors Spock...
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
3. Re:Lessons are all standard by Pope · 2011-08-26 02:10 · Score: 1, Insightful
  
  And look at the extension of the file, if it looks suspicious don't open it.
  You mean the file extension that is hidden by default on Windows for the last decade?
  
  --
  It doesn't mean much now, it's built for the future.
4. Re:Lessons are all standard by Anonymous Coward · 2011-08-26 02:12 · Score: 0
  
  Lizard, Spock
5. Re:Lessons are all standard by X0563511 · 2011-08-26 02:16 · Score: 1
  
  .. and that excuses it how? IT should set group policy to force that option off and expose it.
  We also all know what a disaster having Microsoft involved with any kind of security beyond "feel-good" measures is. No, there is no good-fitting better alternative, but that doesn't change the fact that it's a mess.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
6. Re:Lessons are all standard by _0xd0ad · 2011-08-26 02:24 · Score: 2
  
  You mean the file extension that actually matched what the file appeared to be (Excel spreadsheet) and had nothing at all to do with the reason this attack was successful?
  If I may paraphrase JoshuaZ's point, it was "Turn on file extensions, and don't open files with suspicious extensions". It was also unrelated to this particular security breach, but at least it's still good advice in general.
  You could even search through the Windows registry for registered file types with a "NeverShowExt" value set and delete the value. Then even extensions like .url, .lnk, etc. will be visible.
7. Re:Lessons are all standard by mangu · 2011-08-26 02:26 · Score: 1
  
  the Sneaker Net can easily defeat the air gap
  IOW, Nike Air defeats Air Gap.
Warning about FTA by Hijacked+Public · 2011-08-26 01:48 · Score: 3, Insightful

Looking closer, Hirvonen found that the file seemed to match RSA's description in possible every way.
I assumed this was a poorly translated phishing article and immediately closed my browser window and reinstalled Windows.

--
"Sacrifice for the good of The State" - The State
1. Re:Warning about FTA by Anonymous Coward · 2011-08-26 02:23 · Score: 0
  
  Good to know, I wouldn't want to F the article anyway...
2. Re:Warning about FTA by Anonymous Coward · 2011-08-26 04:42 · Score: 0
  
  FTA as in fuck the article?
3. Re:Warning about FTA by Anonymous Coward · 2011-08-26 06:39 · Score: 0
  
  I assumed this was a poorly translated phishing article and immediately closed my browser window and installed Linux.
  FTFY
Please by Anonymous Coward · 2011-08-26 01:50 · Score: -1, Troll

Just stop using Microsoft products. Stop using Windows, Office, Internet Explorer, MSN Messenger.
Oh, you rely on those pieces of shit to work? You built your own prison, now suffer the prison rape.
1. Re:Please by The-Blue-Clown · 2011-08-26 01:58 · Score: 1
  
  MS is vulnerable because its the biggest target out there. Android is now the biggest mobile target. As Apple gets a larger share, it will become a target as well. I dislike MS as much as anyone I know, but your statement is simply foolish. ALL systems can be compromised by stupid users. I say stupid and not ignorant. I have more than my fair share of stupid users and pushing them to Linux won't solve it. You can only solve it by building sandboxes around them.
2. Re:Please by MichaelKristopeit424 · 2011-08-26 02:14 · Score: -1
  
  You can only solve it by building sandboxes around them.
  right... because there have never been any exploits to break out of a sandbox. "solve" doesn't mean what you think it does.
  you're an idiot.
3. Re:Please by NatasRevol · 2011-08-26 02:17 · Score: 1
  
  Bullshit.
  Apple was/is the largest mobile target if you include iPod Touches, > 200M devices running iOS. If not, it's a close second to Android.
  Stil has an order of magnitude fewer attacks than Android. So biggest target != most attacks. Least secure == most attacks.
  
  --
  There are two types of people in the world: Those who crave closure
4. Re:Please by Forty+Two+Tenfold · 2011-08-26 02:17 · Score: 1
  
  PEBKAC.
  
  --
  Upward mobility is a slippery slope - the higher you climb the more you show your ass.
5. Re:Please by X0563511 · 2011-08-26 02:18 · Score: 1
  
  You're smart enough to understand that some systems are designed better than others. Just because it isn't the biggest target doesn't mean it's secure only via obscurity.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
6. Re:Please by The-Blue-Clown · 2011-08-26 02:25 · Score: 1
  
  Nice one. Missed the point of course. The post was about MS. Specifically if you selected MS you were asking for problems. I was attempting (failed) to point out that if Apple had the same market share they would have lots of problems as well. NO system is secure. Ask RSA.
7. Re:Please by The-Blue-Clown · 2011-08-26 02:29 · Score: 1
  
  Yes. You are correct. My point was the poster was saying that if one selects MS then they are asking for problems. I'm pretty sure that if Apple had 80+ market share there would be a lot of issues with them as well, despite the control they have over the OS and hardware and developers. Android has even less control than MS so I am certain it will be riddles with exploits.
8. Re:Please by NatasRevol · 2011-08-26 02:32 · Score: 1
  
  No, I was invalidating your point which was largest == most hit. In actuality, it's most insecure == most hit.
  
  --
  There are two types of people in the world: Those who crave closure
9. Re:Please by delinear · 2011-08-26 02:36 · Score: 1
  
  While you are right it would probably help somewhat, it wouldn't defeat phishing attacks which usually rely on "social engineering" (i.e. making someone want to do the thing you want them to do). If you can put the right attack in front of the right user (one with sufficient rights and insufficient knowledge) then no amount of security in the OS will help.
10. Re:Please by X0563511 · 2011-08-26 02:41 · Score: 1
  
  Well, I won't argue that a large chunk of the holes we find in MS are found because they are the big target. That said, even if they weren't the holes would still be there. I'm just saying the two really aren't connected (in that fashion) despite the arguments people like to toss about claiming such.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
11. Re:Please by The-Blue-Clown · 2011-08-26 02:43 · Score: 1
  
  You were attempting to invalidate my comment. Malicious code is written for an intended target. Android a year ago was more vulnerable than today, yet today it is hit more often. Why? What has changed? Its size.
12. Re:Please by NatasRevol · 2011-08-26 02:52 · Score: 1
  
  That doesn't answer why iOS, with more total users, isn't hit more than Android.
  
  --
  There are two types of people in the world: Those who crave closure
No really new news ... by Registered+Coward+v2 · 2011-08-26 01:52 · Score: 1

beyond the how part. The most telling part of the article is:

"That's a pretty embarrassing example for RSA," he said. "It tells you that in any reasonably sized company, including a security company, there's someone who will do something really dumb."
The world's second oldest profession has been exploiting that weakness forever. They key to information is not to compromise the leaders; you get in via the support staff. They're not thinking security. It's amazing what a simple phone call can net in terms of information; even if you are up front with what you are looking for and why you want it. The internet just makes it easier to reach them and provides new tools to extract information.

--
I'm a consultant - I convert gibberish into cash-flow.
1. Re:No really new news ... by Scutter · 2011-08-26 01:58 · Score: 5, Insightful
  
  I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.
  That said, could RSA as an organization have done anything different to prevent this? Of course they could have, starting with not running an OS that's two major revisions out of date (let's not get into a Windows vs. *nix discussion here). But let's not put all the blame on the user for this.
  
  --
  
  "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
2. Re:No really new news ... by Registered+Coward+v2 · 2011-08-26 02:15 · Score: 1
  
  I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.
  While I agree with you in general, and would add that a number of root causes for the infection should be explored, the user did apparently retrieve it from the trash prior to opening it. That tells me either their spam filter causes a lot of false positives and users are used to checking junk mail for real messages, indicating a systemic problem; junk email show up in their inbox and is just flagged, another systemic problem; or, the user really wasn't trained on why email goes to buck and what to do if they think it is a mistake. It's also possible they simply open fit without thinking, in which case it was dumb, IMHO, but being "dumb" was not the only cause and the same thing will happen again unless the event is really investigated to determine various probable causes and fixes put in place.
  
  That said, could RSA as an organization have done anything different to prevent this? Of course they could have, starting with not running an OS that's two major revisions out of date (let's not get into a Windows vs. *nix discussion here). But let's not put all the blame on the user for this.
  I agree - the user was the last line of defense that was breached and there were probably systemic issues that let that happen and need to be addressed. I do think the premise of the part of the article I quoted is valid, even if a bit melodramatic; the user is the bets part of the system to exploit and often the easiest which is why it's been the target long before computer technology came on the scene.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
3. Re:No really new news ... by black+soap · 2011-08-26 03:10 · Score: 2
  
  If this was a multi-step attack, rather than just stopping the first phishing email, wouldn't detection anywhere further up the chain also have limited the damage?
frist p5ot! by Anonymous Coward · 2011-08-26 01:53 · Score: -1

aboutG a project you neEd to succeed that he documents
Social Engineering by PPH · 2011-08-26 01:54 · Score: 1, Redundant

IMO, the most cunning instance of social engineering leading to this break in was convincing a security company to use insecure software, like Excel, Windows, and Flash.

--
Have gnu, will travel.
1. Re:Social Engineering by kevinNCSU · 2011-08-26 02:17 · Score: 1
  
  If there was such a thing as "secure" software what would be the purpose of a security company?
2. Re:Social Engineering by rgviza · 2011-08-26 02:22 · Score: 0
  
  as opposed to open office, linux, and html5? he heheh hehehehehelmao The only truly secure software is sitting inert on a cdrom in it's case. The rest of it is vulnerable (either through vulnerabilities discovered or not yet found and the exploits that use them) If man made it, man can break it. If you don't believe this, you have already lost at the game that has become security. There is _always_ a way and always will be. You can't rely on secure software to make yourself secure. There's no such thing. Defense in depth and behavior modification are the only things that work and neither has much to do with what software you use..
  
  --
  Don't kid yourself. It's the size of the regexp AND how you use it that counts.
3. Re:Social Engineering by Provocateur · 2011-08-26 02:28 · Score: 1
  
  I don't know...to prove that God doesn't exist?
  *POOF!*
  
  --
  WARNING: Smartphones have side effects--most of them undocumented.
4. Re:Social Engineering by X0563511 · 2011-08-26 02:52 · Score: 0
  
  So, since it cannot be done perfectly we should just give up? Is that what you are saying?
  The point of security is not necessarily to COMPLETELY stop unauthorized activity, although that is nice. The point is to try to make it prohibitively inconvenient or difficult to proceed.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
5. Re:Social Engineering by Anonymous Coward · 2011-08-26 03:16 · Score: 0
  
  to manufacture it
6. Re:Social Engineering by Chris+Mattern · 2011-08-26 04:06 · Score: 1
  
  There is no such thing as "secure" software because anyone who speaks of "security" as an absolute is a fool (this applies in things other than softare, by the way). There is, however, software that is more secure and software that is less secure.
7. Re:Social Engineering by Anonymous Coward · 2011-08-26 12:37 · Score: 0
  
  The most secure code is the kind that never runs.
I can believe it by sandytaru · 2011-08-26 01:54 · Score: 2

End users aren't always that stupid, but some of them are, and the others can be distracted and not really pay attention and accidentally open something they otherwise wouldn't have. This is why it's vital to have automated spam and virus detection on the backend. A few weeks ago I noticed Exchange catching and cleaning up viruses that were coming from the computer of a manager of one of our client companies - the person in charge of the whole darn operation had managed to get her PC infected. Exchange caught the viruses before they were sent off to other PCs in the network, but we had to completely wipe down that person's computer to get rid of it for good. All because she opened an email forwarded from her son that said "Funny pictures!" with twenty attachments.

--
Occasionally living proof of the Ballmer peak.
1. Re:I can believe it by Anonymous Coward · 2011-08-26 02:48 · Score: 0
  
  All well and good except when its a 0 day, as this was.
2. Re:I can believe it by Anonymous Coward · 2011-08-26 05:39 · Score: 0
  
  All because she opened an email forwarded from her son that said "Funny pictures!" with twenty attachments.
  Bring the son in for questioning...
I thought macro viruses were dead? by TerranFury · 2011-08-26 01:56 · Score: 1

How do you own someone with an XLS file nowadays?!
(I'm assuming, "How dangerous can it be? It's not an executable!" is exactly what the hapless employee who opened it was thinking too...)
1. Re:I thought macro viruses were dead? by TerranFury · 2011-08-26 02:03 · Score: 1
  
  Having now read TFA (always a good policy), it looks like a Flash exploit was involved. Maybe the Flash applet was embedded using OLE?
2. Re:I thought macro viruses were dead? by Anonymous Coward · 2011-08-26 02:05 · Score: 0
  
  Not to mention, Excel by default warns you of any files containing macros, and Windows warns you of any privileges you might be escalating for any file. To be infected, this person has to have repeatedly made consecutive poor security decisions.
3. Re:I thought macro viruses were dead? by ahecht · 2011-08-26 02:08 · Score: 2
  
  It wasn't a macro, it was an embedded Adobe Flash object.
4. Re:I thought macro viruses were dead? by Inda · 2011-08-26 02:09 · Score: 1
  
  This work PC is locked down to the wire. One of my jobs is to wirte Excel spreadsheets including VBA.
  
  Accessing the FSO (File System Object) is childs play. I can read, write and delete anything I have access to on the network.
  
  It's that easy. Still.
  
  And then there's the Window APIs I can access through VBA...
  
  And I'm pretty poor at doing this stuff (but better than 99% of the office workers)
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
5. Re:I thought macro viruses were dead? by rgviza · 2011-08-26 02:23 · Score: 1
  
  get them to click "Run macros" or whatever the dialog says
  
  --
  Don't kid yourself. It's the size of the regexp AND how you use it that counts.
6. Re:I thought macro viruses were dead? by X0563511 · 2011-08-26 02:23 · Score: 2
  
  So it wasn't just a ball of mud, it was a ball of mud with a nugget of shit in the middle?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
7. Re:I thought macro viruses were dead? by EXrider · 2011-08-26 03:33 · Score: 1
  
  If you watch the video in TFA, you'd see that there were zero prompts besides the classic Outlook you're opening an attachment dialog. Excel happily executed the embedded Flash object without any warning or notification at all. Absolutely ridiculous, why anyone would think Flash (arbitrary code execution) embedded in a damn spreadsheet, is useful and even a remotely good idea is beyond me.
  
  --
  grep -iw skynet /etc/services
8. Re:I thought macro viruses were dead? by Anonymous Coward · 2011-08-26 05:45 · Score: 0
  
  ...the hapless employee who opened it was thinking...
  I think you give said hapless employee too much credit there.
9. Re:I thought macro viruses were dead? by Anonymous Coward · 2011-08-26 08:12 · Score: 0
  
  If the system is properly locked down, you won't be able to write to certain parts of the file system (e.g. Program Files folder tree), nor certain parts of the registry (e.g. HKLM). If you can write to those areas, then the system isn't secured as much as you think.
  - T
They Hacked the NSA? Wow! by snsh · 2011-08-26 02:12 · Score: 0

http://xkcd.com/932/
Agreed. Google Docs FTW by Anonymous Coward · 2011-08-26 02:12 · Score: 0

Yes they should be using Google Docs instead especially on those backend machines.
1. Re:Agreed. Google Docs FTW by Anonymous Coward · 2011-08-26 02:32 · Score: 0
  
  You probably joke, but a lot of exploits would've been avoided if everyone went through google docs for all their "office" needs (or maybe not "google" but some internal equivalent version).
Flash Embedded in Excel? by Blackeagle_Falcon · 2011-08-26 02:14 · Score: 3, Insightful

I join F-Secure in asking, "why the heck does Excel support embedded Flash"?
1. Re:Flash Embedded in Excel? by maxwell+demon · 2011-08-26 02:29 · Score: 5, Interesting
  
  Indeed, there should be a strict separation between documents (things you merely view and possibly edit) and programs (things which do something). Unfortunately that line has been crossed by about every document format, from office files (Word, Excel, ...) over HTML (JavaScript) to PDF.
  There should be a set of standard document formats which are guaranteed to not contain any executable code whatsoever, so except for possibly exploiting buffer overflows in interpreting code, displaying the documents is safe. It should be impossible by specification to insert any "active content", i.e. programs, in such documents.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
2. Re:Flash Embedded in Excel? by owlstead · 2011-08-26 02:48 · Score: 1
  
  And as an engineer, I would say: because it shares a code base with other Microsoft products. But that does not make it less wrong. And the problem is two fold: why does it support it at all, widening the attack surface, and why does allow Excel, and then the OS that it compromises security in such a way. IMHO, talking security is about talking "security layers", and both at RSA and with current operating environments, the layers allow for too much to slip by.
3. Re:Flash Embedded in Excel? by jonwil · 2011-08-26 02:53 · Score: 0
  
  The world would be a better place if Microsoft hadn't invented the garbage known as VBA and VBScript.
  Whoever thought that emails should have scripting (or even HTML) should be hit on the back of the head with an IBM Model M keyboard.
  Same with the idiots that thought that having programming languages inside documents was a good idea.
4. Re:Flash Embedded in Excel? by Anonymous Coward · 2011-08-26 02:59 · Score: 0
  
  Why wouldn't it? It can embed Flash for the same reason it can embed bits of Word text, or a video, a PowerPoint presentation, &c. There's nothing wrong with that, and for many people (especially in the corporate world) the ability to embed arbitrary documents in each other is a necessary feature.
  The exploit wasn't in Excel, but in Flash. Place the blame where it belongs: the fact that one of the most buggy applications out there has such a big installed base that websites can rely on it for basic functionality, making not having it installed not an option.
5. Re:Flash Embedded in Excel? by KliX · 2011-08-26 03:00 · Score: 1
  
  Dude, once a stream is being parsed, you are always screwed. There will always be a security hole.
  Doesn't matter if the 'executable' code is essentially in the document; or the document itself, running against a parser.
  They're really the same thing.
6. Re:Flash Embedded in Excel? by garyebickford · 2011-08-26 03:00 · Score: 1
  
  Much of the success of Apple, object-oriented systems in general, and later NeXT and the World Wide Web (which was inspired by the NeXT on Berners-Lee's desk), was due to the ability to support 'rich' documents. Back in 1989 being able to send an audio or video file to an associate as part of an email, or incorporate as a natural part of a shared document, was pretty much the 'killer app' for the NeXT. So this raises the question, "How do we define 'executable' in this context?"
  For example, a video might have bogus image data that happens to tickle a buffer overflow in the video display program, that causes it to perform a jump into the memory space where the video data resides, which happens to have been specially constructed to execute a hack. There's no 'executable' capability in the video, but in fact it does cause execution of malware.
  That's pretty much how many of the simple hacks of the 1990s and later worked. Most of those holes have been closed (I hope), but more sophisticated equivalents will always continue to arise, as systems (including the humans in the loop) continue to change, expand and advance. The best analogy is the disease process in biology, where immune systems can be modeled for use in anti-malware systems. IBM and others have investigated as a model for computer malware protection
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
7. Re:Flash Embedded in Excel? by maxwell+demon · 2011-08-26 03:15 · Score: 1
  
  I never claimed that such a format would end all security concerns. I even mentioned the possibility of exploiting buffer overflows myself.
  However it is a huge difference if attacks can only be done through bugs in the implementation, or if attacks could also happen due to an oversight in the specification, making even completely bug-free implementations vulnerable. For pure-content formats, one can be sure that the specification has no security problems (because it doesn't specify anything executed). Only the implementation vulnerabilities remain.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
8. Re:Flash Embedded in Excel? by rb12345 · 2011-08-26 04:40 · Score: 1
  
  It's not that it supports embedded Flash, it's that it supports embedded COM objects, which includes OLE and ActiveX. Now, if you you're including embedded Word documents, charts, images and equations, it's great. If you want to write your own custom control for your own purposes, that might also be useful! It also means that you can embed Flash and Media Player as a side-effect.
  The downside is that Excel (and any other program that can embed such objects in their files) can be used to exploit bugs in any COM object that's registered on the system viewing the file. This includes Word and Flash, but also things like the built-in tree controls. A lot of these were never really thought of as at risk of attack from Internet-based files, since only local applications were meant to be using them. They might even be blocked from loading in IE, too, due to not being marked "safe for scripting/instantiation". Excel has less (none?) of IE's sandboxing or restrictions, though, so you get even more opportunity for exploits.
9. Re:Flash Embedded in Excel? by sorak · 2011-08-26 05:07 · Score: 1
  
  Or we could just provide a "security" mode. MS Office just makes a feature that says "no macros or flash of any kind in anything that gets opened". They may already have it, but it is hidden in a dialog box that takes twelve clicks to get to, and will be moved to a different location once Office 2011.5 comes out.Anyway, my big innovation is (wait for it)...
  Put it on the ribbon.
  That's right! Don't hide the "prevent me from fucking over the entire company because i don't need a motherfucking punch the monkey banner in the middle of our Q3 finances" button. Put it where people, (even your dimwitted bosses boss who would be on welfare if he weren't related to the CEO), can find it.
10. Re:Flash Embedded in Excel? by oursland · 2011-08-26 05:28 · Score: 1
  
  Could you explain your reasoning more? I'm not seeing how parsing an ASCII text file or similar static document necessarily means there's a hole to be exploited. Besides, there are numerous documents that are purely descriptive in nature without depending on render time execution.
11. Re:Flash Embedded in Excel? by firewrought · 2011-08-26 05:54 · Score: 1
  
  Indeed, there should be a strict separation between documents (things you merely view and possibly edit) and programs (things which do something).
  
  There aren't just two buckets (documents and programs). There is an entire spectrum that starts with documents (what I'd call declarative knowledge) and ends with programs (imperative knowledge). In between are things like SQL and Regular Expressions and so forth. The middle of that spectrum is actually pretty interesting because you start to gain a lot of functional power with these quasi-programs (which let you transfer power and creativity to end users without having to re-involve the original developers/standards committee each time), but you don't get so close to Turing completeness that you lose analytic power... the ability to think and reason about that piece of knowledge. There's a sweet spot, in other words... once you go full-imperative, you lose the ability to make several types of guarantees and transformations.
  So that's one view in which a strict separation doctrine seems a bit a naive, which wouldn't come as a surprise to any Lisp programmer: data is code and code is data. You can really see this interplay with things like JPEG or PNG or other compression formats... nominally it's just a bunch of bytes that the parser needs to do some math on. But the math is really complex, and sometimes a document can trick the parser into executing those bytes on its behalf. To ultimately defend against such threats you need additional measures -- good user interface design, good automatic updates, use of well established libraries, good security testing and code auditing, ASLR, NX bit, and so forth.
  But yes, it would be nice to see a little more restraint in arbitrarily adding functionality to existing document formats (PDF's and HTML can do 3D now for crying out loud ^%#$%^!).
  
  --
  -1, Too Many Layers Of Abstraction
12. Re:Flash Embedded in Excel? by Cecil · 2011-08-26 08:42 · Score: 1
  
  Well... there's ASCII.
  
  --
  Random and weird software I've written.
13. Re:Flash Embedded in Excel? by yuhong · 2011-08-26 10:00 · Score: 1
  
  On the other hand, binary file formats that disguise untrusted data as a C struct makes things worse, as C is an unsafe language that for example sliently truncate on integer overflow.
14. Re:Flash Embedded in Excel? by Anonymous Coward · 2011-08-26 17:23 · Score: 0
  
  PDF/A is a document format that guarantees accurate rendering of print materials and devoid of active content.
15. Re:Flash Embedded in Excel? by maxwell+demon · 2011-08-26 19:20 · Score: 1
  
  But the problem is that you can't distinguish PDF from PDF/A before opening it. So you have to trust that a claimed PDF/A document really is PDF/A. Which is dangerous because PDF and PDF/A are opened with the same program.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
16. Re:Flash Embedded in Excel? by Lunzo · 2011-08-28 13:52 · Score: 1
  
  It comes back to the Von Neumann model of computation which pretty much all modern computers use. Both data and executable instructions are loaded into memory. Once in memory both are just a sequence of 1s and 0s and appear the same to the CPU. It has no way of telling that a particular section of memory is executable and another is not.
  If your "data" 1s and 0s just so happen to match the machine code and you get an instruction pointer to jump to where that data is in memory then you're now executing "static data". For example, this is how buffer overflows and JIT compilation work.
17. Re:Flash Embedded in Excel? by oursland · 2011-08-28 14:20 · Score: 1
  
  Although correct, that depends on an exploit to some programming error such as an unchecked buffer access. Programs (and therefore parsers) can be written in such a way that lends itself to automated correctness checking. But, when you permit executable objects to be embedded within your data format, there simply is no way to prove correctness. There are some strategies to limit system exposure to these embedded objects, but as we have seen before, they often leak information or have security vulnerabilities.
  
  TFA does a fine job of demonstrating how passing control to an embedded executable object (Flash) leads to a situation where Microsoft Word, which normally provides warning, fails to inform the user of the potential threat.
Fir5T by Anonymous Coward · 2011-08-26 02:14 · Score: -1

direct orders, or these rules wiil here, please do departurres of
Suspicious claim by F-Secure by Trufagus · 2011-08-26 02:16 · Score: 2

So an anti-virus company, always on the lookup for free publicity, claims that it has come what might have been the e-mail that took down the RSA.
And this makes the news?
In case you hadn't noticed, the anti-virus companies will claim anything to get noticed these days.
1. Re:Suspicious claim by F-Secure by hAckz0r · 2011-08-26 06:24 · Score: 1
  
  Not only that, but the RSA people submitted the email to Virus Total and it passed all tests, including the one from F-Secure. In effect, their product did nothing to prevent the exploitation, or even detect it. Why do you think they wanted the email so bad as to search throughout millions of submitted files for weeks? They needed the sample to build a "signature" for the custom exploit so they could say that their snake oil works wonders.
  .
  AV products are a loosing battle. If you have to get shot first to know where the enemy is attacking from then you can't win the battle by attrition.
  .
  What is needed is smarter systems that protect us via hardware, like Qubes OS. Qubes OS would have allowed that user to grab the attachment and move it to a safe/isolated VM to be opened where it could do no harm. Even if the flash applet could some how write some persistent code to a read only file system it could not open an outgoing connection with no networking services or hardware to support networking. It would be a dead end for that malware attack. End of story. The problem then is forcing the attachment from one VM with networking into another to be isolated, and that for now still relies on the user.
Re:They Hacked the NSA? Wow! by m50d · 2011-08-26 02:17 · Score: 1

Except no. If you've been following this story, it wasn't just defacing their website, the attackers got the crown jewels this time.

--
I am trolling
Moral of the story.... by Lumpy · 2011-08-26 02:18 · Score: 4, Insightful

If you use a commodity OS inside your secure network. you will get hacked and you will get it knocked over.
If you have a high security network and run windows and office on it, it's not high security anymore.
you run apps and Operating systems rated for the security that are tightened down. only a moron would let someone edit a spreadsheet on a PC that is connected to the secure network. You flip to the insecure network machine for tasks like that. No connections between them other than the eyeballs and fingers of the user.

--
Do not look at laser with remaining good eye.
1. Re:Moral of the story.... by Anonymous Coward · 2011-08-26 04:40 · Score: 0
  
  There's got to be a balance between security and productivity. Having all of your employees run linux from the command line is not productive.
2. Re:Moral of the story.... by Lumpy · 2011-08-26 05:24 · Score: 1
  
  Linux? I'm talking hardened BSD running X.
  and no there isn't ask the military. They have already dealt with this. at NORAD each workstation has two PC's and you switch between a secure and a insecure. you as the user have ZERO physical access to the secure box, it's actually in a locked box bolted to the desk.
  
  --
  Do not look at laser with remaining good eye.
first.=.. by Anonymous Coward · 2011-08-26 02:20 · Score: -1

anothe8 foldEr. 20
Are you paranoid enough? by Anonymous Coward · 2011-08-26 02:26 · Score: 0

I would like to think I would never fall for something like this. But if this email had a return address of someone in the company? That would make it seem VERY legitimate. Of course, if I don't usually receive emails from that person, I might assume the email was misdirected and not open it. Maybe.
As far as my home email is concerned, the only reliable indicator I've found for phishing attempts is bad grammar and spelling. If these attackers get a good grasp of the English language, we're screwed.
1. Re:Are you paranoid enough? by EXrider · 2011-08-26 03:42 · Score: 2
  
  I would like to think I would never fall for something like this. But if this email had a return address of someone in the company? That would make it seem VERY legitimate.
  If your mail admin (or outsourced mail provider) allows inbound messages that are spoofing your company's domain(s), they are worthless and have no business running your mail system.
  
  --
  grep -iw skynet /etc/services
2. Re:Are you paranoid enough? by omnichad · 2011-08-26 06:46 · Score: 1
  
  They could have spoofed a vendor's domain (didn't read the article). How could their mail server detect that unless there are some very strict SPF in place for that domain?
3. Re:Are you paranoid enough? by EXrider · 2011-08-26 07:10 · Score: 1
  
  SPF, another mail system element that is trivial to implement, that any sysadmin worth a damn should have done already; but I suppose you're right, a spearphisher that has intimate knowledge of an organization could spoof a vendor's email address. I don't know about you, but I don't open unsolicited attachments from anyone these days, Sally in Accounting OTOH...
  
  --
  grep -iw skynet /etc/services
MS is vulnerable. Period. by mangu · 2011-08-26 02:36 · Score: 3, Interesting

MS is vulnerable because its the biggest target out there.
While it's true that few people would try to exploit a system nobody uses, MS does its share of the effort to become insecure.
In this specific case, the first breach was done by a Flash program embedded in an Excel spreadsheet. We are going waaay back to all that DDE/COM/OLE/ActiveX thing that has been opening so many backdoors in Microsoft systems for the last decades. Broken by design.
1. Re:MS is vulnerable. Period. by The-Blue-Clown · 2011-08-26 02:44 · Score: 1
  
  Very true.
2. Re:MS is vulnerable. Period. by dbIII · 2011-08-26 12:03 · Score: 1
  
  Flash program embedded in an Excel spreadsheet
  I didn't even know they had made such a stupid thing possible. I'm starting to understand now why malware is far more prevalent than it was earlier despite a decade of MS pretending to focus on security. The best programmers available can't help when stupid choices are made by well connected inbred idiots with MBAs in shouting.
RSA doesn't virus-scan email attachments? by Anonymous Coward · 2011-08-26 02:47 · Score: 0

The biggest questions left unanswered by all of this are:
1) Why doesn't RSA scan all incoming email and all attachments for malicious payloads?
2) Even if they do, why didn't said anti-virus, IDS, or IPS system they have in place identify this Poison.Ivy payload?
3) If their anti-virus detection measures failed to detect this (apparently) known exploit (Poison.Ivy from the Network World article), what product(s) are they using?
My hunch is that it isn't F-Secure, because the inference is that their products would have detected the problem and quarantined and stripped the email of the attachment before delivering it to recruiter Dum Bass in HR.
Houston, we have a problem. by luis_a_espinal · 2011-08-26 02:48 · Score: 3

Dude, c'mon...

then your boss' boss will know that your boss is unable to manage their team effectively and fire your entire team.
Because that is not a hypotesis but a logically inevitable consequence. Your logic is awesome.

you're an idiot.
Noooo, he's a professional. His job is to escalate and let the chips fall where they may, and in the unlikely chance of getting fired, he goes to get another job. Yeah, yeah, even in this bad economy, that's what you do.
Barring some streneous condition (having a newborn baby or a shitload of medical bills) if someone doesn't escalate things when necessary due to fear of getting fired (an implication of a near complete lack of alternatives) one has to wonder what type of technical value if any such a person has to offer considering that he surrenders his professional duties to that kind of unspoken, on-the-job black-mailing and/or ZOMG! phear of getting hopelessly unemployed.
1. Re:Houston, we have a problem. by Anonymous Coward · 2011-08-26 03:27 · Score: 0
  
  There's a reason why the idiot you replied to has a -1 default post score.
2. Re:Houston, we have a problem. by MichaelKristopeit424 · 2011-08-26 03:33 · Score: -1
  
  the exact thing happened to me at a previous company where people under my manager constantly end ran around the manger to the VP, and the VP and CEO got sick of it and fired the entire team.
  escalating things around your manager defeats the purpose of having a manager.
  you're an idiot.
3. Re:Houston, we have a problem. by MichaelKristopeit425 · 2011-08-26 03:36 · Score: -1
  
  ur mum's face is the idiot.
  there is a reason why i've been paid over 6 figures by companies with billion dollar market caps for the last 10 years.
  cower in my shadow some more, feeb.
  you're completely pathetic.
Re:They Hacked the NSA? Wow! by Megane · 2011-08-26 03:10 · Score: 1

Except that they hacked RSA. So the first panel would have to say that hackers took down the website of ZIA for the analogy to apply.

--
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
PC user running as an administator? by andmalc · 2011-08-26 03:18 · Score: 1

Can we also assume that the user had Admin privilages on the PC? Could the exploit have otherwise got control of the OS?
1. Re:PC user running as an administator? by babywhiz · 2011-08-26 06:20 · Score: 1
  
  Probably because they had some software they use that requires Admin in order to even function. Talk to Autodesk and UPS about that one.....although, if there were more human eyes looking at 'suspect emails' in the first place........excuse me, time to run some kids off my lawn....
2. Re:PC user running as an administator? by St.Creed · 2011-08-26 08:15 · Score: 1
  
  No admin privileges needed - once you're running on the OS you can exploit numerous bugs to elevate your privileges but perhaps they didn't even need that. Just having access to all of the user-files would be pretty usefull in and off itself.
  I've been bitten by that one before when I read a tweet that opened up javascript that opened a PDF that had embedded scripting that executed and closed. The next day I got a call from my hosting provider that my FTP-accounts had been closed due to suspicious activities. My FTP-software config files were read so the passwords were compromised. You don't need admin access for that. The same goes for telnet-software that stores passwords, terminal session software and browsers with passwords stored in files.
  
  --
  Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Any questions as 2Y I use these? by Anonymous Coward · 2011-08-26 03:25 · Score: -1

Custom HOSTS files, Firewall rules tables (both hardware router & software types), PLUS filtering DNS servers (Norton DNS, OpenDNS, & ScrubIT DNS in combination w/ one another BOTH in my IP stack settings, PLUS in my router/firewall)?
"Defense-in-Depth"/"Layered-Security" tends to work is why - what one method doesn't catch? The others MOST LIKELY, will...
Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:
Norton DNS -> http://nortondns.com/ [nortondns.com]
ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com]
OpenDNS -> http://www.opendns.com/ [opendns.com]
(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz [norton.com] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)
HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")
HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!
(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)
ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!
* That's all in combination here with more "std. fare" such as Microsoft Security Essentials on Windows 7 64-bit fully patched + Security Hardened as of yesterday via BOTH MBSA (Ms Baseline Security Advisor) + CIS Tool for Windows 7 (took me 2 days this round, because the CIS Tool has changed in its requirements for Win7, harder imo in many ways, PLUS I found it tended to overlook some things that the older benchmarks for Windows 2000/XP/Server 2003 do not (mostly registry & filesystem permissions)).
APK
P.S.=> I won't go & post my "entire HOSTS files vs. DNS Servers & AdBlock alone" std. cut-N-paste post though, I have done enough of that the past year here & I wager MOST OF YOU have seen it, + hopefully read it (even those of you that are pretty much "security-guru" types, because even though I've been doing those types of guides since 1997 online publicly (& for years before that))? I still learn a "new trick or two" here and there, like anyone else can... heck, it's a "wasted day" IF I don't pick up something new I figure!
For those interested who are NOT aware of how to fully security-harden an OS + its applications, as well as safe(r) "surfing & email practices"? Here is the "full gamut" on that account:
http://www.bing.com/search?q=how%20to%20secure%20windows%202000%2Fxp&PQ=%22HOW%20TO%20SECURE%20Windows%202000&SP=1&QS=AS&SK=&sc=2-27&form=WLETSS&pc=WLEM
AND, if you're interested in how & why (plus when, & where) HOSTS files aid you for layered security, added speed + bandwidth online (nice "side effects" of the 1st part is a result), & as well as added anonymity to a degree (a possible here too)? Here is one of my older posts on that account:
http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700
Enjoy - those are just meant for the "common-good" around here & elsewhere online for the sake of security...
... apk
If hapless employees are your problem... by mypalmike · 2011-08-26 03:46 · Score: 1

All you need to do is provide a hap to every employee on their first day of work. Then, later just have an annual hap screening to make sure everyone still has one. Haps can be expensive, but the cost of employees being hapless is much higher.

--
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
RSA uses a free security service? by MobyDisk · 2011-08-26 04:14 · Score: 1

I am intrigued that RSA forwards their emails to a free virus scanning service. I should going to start my own service. Any company with highly sensitive information is welcome to send it all to me. Don't worry though: we have a posted privacy policy somewhere on our web site.
Ooh, even better idea! How about sending all your passwords to my free service too, and I'll let you know if any of them are insecure!
I've Been Getting A Lot of These Lately by Anonymous Coward · 2011-08-26 04:46 · Score: 0

So far, todays include "ACH payment rejected" from 171.229.252.128 with a report_numbers.pdf.exe file,
"Thank you from Google!" from 184.77.112.65 with a zip file, and "Fraud tax income" from
14.97.106.122 with another blah.pdf.exe file. I wish I had more time to load them up on an instrumented
box and see what's up.
To extend this principal out a bit by RobertLTux · 2011-08-26 05:11 · Score: 1

Every New Hire Pack should have the following to be given to the New Hire
1 a current employee handbook (in a readable language)
2 a Hap
3 a Round Tuit
4 a Clue
5 whatever else is normally provided
6 that stack of paperwork that various departments need for a New Hire

--
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Why A technically unjustified downmod? by Anonymous Coward · 2011-08-26 05:52 · Score: 0

And, then running away? Now - above ALL else?? Well... I may post as AC, but we all see who the TRULY "anonymous COWARDS" are around here, in yourself (whoever downmodded my post without technically justifying WHY & on valid factual & undeniable grounds in computing, not some other off topic trolling crap!)
The type that hit & run downmods + runs from saying why and on what TECHNICAL GROUNDS (because anything else, is pure 100% OFF-TOPIC Bullshit, period) is ruining slashdot... yes, I had to say it, & I am NOT alone in it either!
In fact yesterday's post on Mr. Malda Resigning here had several postings saying "SLASHDOT IS DYING" & one even had some substance behind it...
I.E./E.G.-> Evidences, in citing attendance drops around here, & your "kind/ilk" (cowardly little trolls of all types) is most likely why.
APK
P.S.=> The type that does that, alongside adhominem attacks & other forms of effete "not men" type trolling (such as being wannabe human spellcheckers OR illusions of being professional writing critics etc./ et al on your parts)?
Face it, because we ALL know this much:
You KNOW you can't stand up to me on technical grounds on this account, or really, ANY other in posts I am involved in... that's for nearly 7 yrs. now straight here too - show me once where "your kind" has "gotten the best of me" on technical grounds (or really any others)... you can't!
Too many of "your kind" since 2005 have tried only to end up with egg on your faces everytime, eating your own trolling off topic illogical forums "illogic-logic" style adhominem attacks flavored with the "bitter taste of YOUR OWN defeat" to wash it down as you *drink-it-in-&-digest-it", as I wiped the floor with your type here in technical debates!
Thus - so all you have left, are these effete hit & run downmods...
Fact is - this tells us all how you've lived your lives in fact - you're the kind of dweeb who did the jocks' homework while being made to WATCH as your g/f gave them a "good time" in front of you (assuming any girl would even go NEAR a cowardly weasel like your kind, because you're MORE WOMEN THAN WOMEN ARE)... period!
... apk
Yes, they should have kept the token seeds secure by subreality · 2011-08-26 09:52 · Score: 1

I DO fault RSA for not compartmentalizing their security. A compromise of a user desktop should be expected. The fact that this foothold let someone get to the token seeds suggests some serious design and procedural negligence on RSA's part. The damage should have been limited to some emails getting leaked, not a compromise of their most vital secrets.
443 and other SSL by wirelesslayers · 2011-08-26 10:06 · Score: 1

Do not forget the 443 and others SSL doors. Most of those new exploit/connect back/trojans take advantage in those doors, that are generally opened without restrictions.
Read/write and executable insanity by dbIII · 2011-08-26 11:50 · Score: 1

MS Office and similar has taught far too many people to circulate stuff in an unfinished editable format when it should be a finished read only document. If you are not collaborating on something it makes no sense at all to get the documents in a editable format. How can you trust somebody not to alter a contract if you send it in MS Word format? On the other side we have things like in the article to show that you can't trust received documents of this sort from an unknown source.
continuum by nten · 2011-08-26 12:49 · Score: 1

It was an exaggeration, there are text editors for VMS that haven't required a bug fix in decades. There is almost no chance that between its maturity and simplicity that it still has security holes. However his point is that its not a black and white problem of executable or not executable. Writing a secure text editor is easier than writing a secure word processor, media codecs are not parsing executable files by intent, but there have been holes in them anyway. Its a continuum of increasing complexity and decreasing security from text editors to mp3 players, to sandboxed javascript to piping turing complete languages off the internet directly into your kernel space (webGL). The simple knee-jerk against scripting is misguided both in the sense that the value of adding scripting can in some situations outweigh the risks, and in the sense that a format that isn't intended to have executable content but can still be an avenue of attack.

--
refactor the law, its bloated, confusing and unmaintainable.
Secure but useless by nten · 2011-08-26 13:08 · Score: 1

There are spreadsheets that contain data that the company needs to be kept secure. If the argument is that they should be in gnumeric or open office that's one thing, but even they have scripting languages in them. Furthermore there is source that needs to be written and compiled and tested in secure environments. Simply denying the user all access to executable languages is not an option for some secure systems. Even denying physical access is probably not possible in some test labs. What fits for NORAD doesn't fit for everyone. No easy answers just lots of diligence and mistakes and hard lessons.

--
refactor the law, its bloated, confusing and unmaintainable.
stupid insider by cratermoon · 2011-08-26 13:17 · Score: 1

I used to work for one of the world's leading sporting goods companies. We had contractors onsite with the same network/desktop configuration and access as full time employees. At least one of these outsourced but in-house contractors was stupid enough to fall for pretty much any phishing/fake anti-virus/whatever scheme you can come up with. I have no doubt that any company in the US (what does that mean any more, anyway?) could be compromised given enough persistence and relentless effort to find THAT GUY.
The sad part is by Anonymous Coward · 2011-08-26 14:42 · Score: 0

Because the network in RSA/EMC was so flat an email to HR was able to penetrate parts of the network only engineers really needed access to. And of course now the network is locked up so freakin tight the engineers have trouble doing any work at all, yet HR still has access to excel, flash an every other security hole on their machines.